The aim of this tutorial is to enable you to set up a little VPN
that will let you do many things – but my primary goal when trying to
get this to work was to allow me and my friend (who sits behind a
firewalled network at University) to play the new games that would not
work over Hamachi because they did not ship with LAN and required an
always-on internet connection (DRM). His network also uses traffic
shaping and blocks UDP packets, making online gaming impossible.
This tutorial is heavily based on the one found here but i have updated it and added some more information.
You will need
A Linux Server or Linux VPS
– although this tutorial is specifically aimed at Debian based
distributions, the OpenVPN configurations will be the same across the
board – you will just have to tweak a few of the commands and
directories. I tested this on OpenVZ but it should work on other
A couple of kernel modules enabled – You will need to be able to use the NAT table functionality of IP Tables. You will also need to have the Tap/Tun device enabled. If you are using a VPS you will need to contact your hosting provider to enable these if they are not available – I point out during the tutorial where you will find out if these are not enabled.
A client – You will need at least one client to connect to your VPN – this can be with either a Windows or Linux client, but I will be showing a tutorial for Windows only – Linux client configuration will be the same however so you should have no trouble.
Install OpenVPN – we also need openssl later so might as well install it here:
apt-get install openvpn openssl
and comment everything out – this means that OpenVPN will automatically
start any VPN’s for which it finds a configuration. Configurations are
stored in /etc/openvpn and have the .conf extension
Now we need to create some certificates.eval(ez_write_tag([[580,400],’howtoforge_com-medrectangle-4′,’ezslot_2′,108,’0′,’0′]));
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 ./easy-rsa
Now we need to edit the variables of the certificates we are about to create.
Now you need to change this line (somewhere near the top) export EASY_RSA=”`pwd`” to export EASY_RSA=”/etc/openvpn/easy-rsa”
Then you should edit the following to reflect your information:
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="[email protected]"
however left all this stuff the same because I didn’t really care about
the security of my gaming LAN. If you don’t care either then leave them
all as default.
Save and quit.eval(ez_write_tag([[300,250],’howtoforge_com-box-4′,’ezslot_7′,110,’0′,’0′]));
Now you need
to run this command – the command is a dot followed by a space followed
by a dot followed by /easy-rsa/vars – if you do not include the space it
will not work
It might say something like NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys – This is normal.
Then run this command which will not give you any output.
we run build-ca to get the certificate authority (ca) file. You can use
all the variables you just set in the vars file, just press enter to
all the questions, you should see OpenVPN as the common name.
that is done we will build the server keys. You will be asked a load of
questions again, just enter through them all making sure that server is
the default value for common name. You will be asked two yes / no
questions at the end – put y and hit enter for both.
we will build the client keys – repeat this step for how ever many
clients you want to allow on your VPN – 1 for each client. Just change
the client1 to client2… client3 etc and run the command as many
times as needed. Same deal as above, just enter through the questions
and make sure the common name is the same as the variable passed on the command line and nothing else. Say yes to the last two questions.
Now let’s create Diffie Hellman parameters:
Now all that is done you should have a new directory called keys located here: /etc/openvpn/easy-rsa/keys
We need to make the server configuration file – you can call this
whatever you want because we told OpenVPN to load all configurations it
put all of this in there after making the following changes if you want
– the default configuration should work straight out of the box though:
have set the port to 8080. The default port is 1194. I made this change
because some firewalls will not allow connections to various port
numbers. You can use anything, but make sure you change it on both the
clients and the server.
- I also use tcp for proto. udp
is likely to give you better performance, but again, I had to set tcp as
udp was blocked by the firewall. You can switch it to udp if you wish
but make sure you do it on both the clients and the server.
can change the two lines where we set the DNS servers if you wish.
These must be accessible servers for name resolution on the VPN. The
ones in the configuration file are Google’s public DNS Nameservers so
they should be fine unless you have your own that you need to use.
might want to disable compression of the data stream to squeeze out
that extra performance. i have not experienced any problems as all of
the clients and the server are fairly high powered. Just comment out
comp-lzo if you notice a problem– make sure you do this in the server
and the client configurations!
- You might want to change
the user and group settings if you want to run the server as a
different user or remove them altogether to run as root.
dev tun proto tcp port 8080 ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem user nobody group nogroup server 10.8.0.0 255.255.255.0 persist-key persist-tun status /var/log/openvpn-status.log verb 3 client-to-client push "redirect-gateway def1" #set the dns servers push "dhcp-option DNS 18.104.22.168" push "dhcp-option DNS 22.214.171.124" log-append /var/log/openvpn comp-lzo
you have saved all of that and made any changes we need to tell our
server how to handle internet packets from the various clients on the
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
To ensure that IP forwarding will be enabled after the server is
rebooted, you should edit “/etc/sysctl.conf” and uncomment
iptables command assumes that the device with internet access is eth0. If you are using an OpenVZ VPS then replace eth0 with
venet0. To get a list of all your devices type ifconfig and change the command as needed. This command will fail if you do not have the right kernel
modules enabled with something like this:
WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
FATAL: Module ip_tables not found.
iptables v1.4.10: can’t initialize iptables table `nat’: Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
You can verify the rule was written correctly with this command:
sudo iptables -L -t nat
And, if you make a mistake and want to remove all the offending rules from IPTables:
sudo iptables -F -t nat
Now we are done with the server and ready to start it.
You should get a success message. If not then check the error log by typing
is where you might find out you need the tun/tap tunneling kernel
module enabling. If you get a load of junk about the tun/tap adapter
being unavailable or write protected then this is most likely the case. You should google any other errors.
remember all of those security certificates we made, you need to send some of
them over to the client. Now, you should really send them in some sort
of secure manner so I would recommend ssh file transfer.
You need to transfer the following files:
If you have more than one client, they need to get their individual key and crt files, as well as the ca.crt file.
Copy the 3 files you just got from the server to the openvpn/config
directory. You then need to create a configuration file in this
directory. On Windows this file has the extension ovpn. I called mine gamevpn.ovpn but it doesn’t really matter.
contents of the file follows, you will need to make any changes in this
confugiration to reflect any server configuration changes you may have
made earlier. If you did not make any changes to the server then the
only things you need to worry about are.
- The remote configuration option needs to be changed to the ip and port of the host server.
- The cert and key files need to match those which you downloaded from the server.
dev tun client proto tcp remote w.x.y.z 8080 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo verb 3
Save the file.
There are no more Linux instructions after this point for the client.
On Windows you now need to run the OpenVPN GUI application, a shortcut for which will be on your desktop if you have not removed it. Make sure you run this application as an administrator or it will not be able to add the relevant routing bits and pieces to the routing table.
Once this application starts up, right click the tray icon and click connect – note: if after connecting you loose internet access just disconnect and the normal routing table will be restored.
You should be given an IP and all should be well. To test it, open a command prompt window (start, cmd) and type ping 10.8.0.1
– if you get replies then all is good. You should also be able to ping
your computer from the server and ping any other clients on the new VPN.
It is not the end of the world if you can not ping ALL of the other
clients on the network – if you can ping at least a few then the network
is working and it is just the individual clients that are configured not to reply to ping requests. If no client on the network can ping
any other client then you might have a problem.
We now need to
test the internet connectivity – but before we do we need to configure
windows to use the VPN connection by default – these are Windows vista /
7 instructions but something similar will work on XP.
- Go to control panel > network and internet > network and sharing centre > change adapter settings
- You need to right click on the adapter that is displayed in
this window which has the information “Tap-Win32 (or 64) …..” under it. Click rename. Rename it to GameVPN, OpenVPN or
- Right click the newly renamed network connection and select properties
- Untick the box next to QoS packet scheduler and internet protocol version 6.
- Once you have done this click ok.
- You now need to press alt to display the menu at the top of the connections window.
- Click advanced > advanced settings
- In the top box there will be a list of your connections, you
need to use the arrows on the right to move GameVPN or whatever you
called it to the top of the list then click ok.
- Go to http://www.whatsmyip.org/
Your IP address should now be that of the server.
should be it, you should be able to play games, browse the internet,
download torrents etc through the VPN. You should be able to run games
in either LAN mode and connect to the other clients via their internal
IP’s or connect to games on the internet.
You may find that
some applications ignore your best efforts and use your default internet
connection anyway, in which case look up an application called
Hope this helped someone because it took me ages to find a way of getting this to work!
I did read somewhere else that 90% of problems with OpenVPN are firewall related – good luck!